NoLag host? Is it legit?

Discussion in 'Hosting Advice' started by jimmys98, May 2, 2017.

  1. Hi, guys, I was searching for a cheap host and I found NoLag (https://nolag.host).

    It seems that they have a custom panel...

    I'm not sure...
     
  2. latiku

    Supporter

    There have been quite a few negative reviews of them on this site. Also, $1/gb and even the name of the host doesn't sound too promising.
     
    • Agree Agree x 5
    • Like Like x 1
  3. Well when I joined their Discord the first thing I saw was "Node Offline" issues but yesterday they released "NoLagCP v2" and users have not reported any more issues.
     
    • Useful Useful x 1
  4. Nice, a fully custom panel that is surely tested by a bunch of security engineers to prevent anyone from hacking your panel. That was sarcastic. Okay, but seriously, there's a reason all server hosts use Multicraft as their panel. One of the reasons is that it's secure. I cannot guarentee that their custom panel is secure too. It's just something that scratches my head a little
     
    • Agree Agree x 2
  5. latiku

    Supporter

    I know a few that hosts game servers with Pterodactyl and such.
     
    • Agree Agree x 3
    • Funny Funny x 1
  6. I just spoke with Dimitris#1101 (discord) the solo developer of panel. He told me that all accounts passwords are "hashed" and FTP passwords "encrypted". He also told me that they can't use other panels because they are expensive and it won't allow them to offer such pricing.

    Anyways, I'm buying a server and I'm going to tell you the quality...
     
  7. latiku

    Supporter

    You can get a feeling of the quality from what others have said on these forums.
    https://www.spigotmc.org/search/28765564/?q=nolag.host&o=relevance
     
  8. latiku

    Supporter

    It's very possible to spoof Discord accounts and give fake reviews. I'm just stating what's obvious, you can fake anything.
     
    • Agree Agree x 1
  9. Hi there!

    I'd like to answer a few questions regarding nolag.host.

    Of course, we manage hundreds of clients. Sometimes, a few of them are not satisfied with our services. We refunded unsatisfied clients, current reviews should get (hopefully) updated soon as a lot changed.

    The reason for developing a custom control panel is because we strive to relay on custom code solutions instead of pre-made software. We used a gaming panel called "Xenopanel" made by Liam Denston, however, we switched our panel to our custom made solution due to its security flaws.

    That's true, we had a few issues with our node daemons not responding to API calls, the issue including the port binding issue and server already started issue have been resolved in the latest release.

    I hope I was able to clarify a few things, I will be glad to answer further questions.

    Best regards,
    Bastian
     
    • Useful Useful x 1
  10. Well, yesterday the were like shouting and spamming that "Node Offline" message was showing up and today everybody is quiet...
     
  11. Hi jimmys98,

    We'll be glad to offer you free trial credits.
    Please create an account on our control panel and send me a private message, I will be glad to help you so you can check our quality on your own.

    Best regards,
    Bastian
     
  12. As a student (almost graduated) software engineer and wanting to study ethical hacking, I find your trust in security disturbing. No matter how good your passwords are, a crap ton of hacks can be executed to still take control of your account, completely bypassing any required password.

    We one day at school learned about hashing passwords in MySQL to "increase" security. As someone who is thrilled by security I went around class and tested out everyone's applications security. Every single application I tested was hacked in less than 3 seconds by me. They all had working hashes, most SHA256 or SHA512 if that means something to you. For those interested, it was a simple SQL injection I used to bypass the password and login to any account I wanted. I just selected the first account I wanted to login to, which is practicly always the administrator.

    To proof my point: Passwords only prevent brute forcing mainly. SQL injections, cross site scripting, session hijacking, countless methods can be used to hack software. An advance piece of software like a panel asks for countless security countermeasures and should not te taken lightly.

    I have personally asked the maker of Pterodactyl how their security was, and they convienced. Their stuff is secure. I will definitely not guarentee the same with a custom panel that some host quickly put together to "stand out".
     
    #13 MrDienns, May 2, 2017
    Last edited: May 2, 2017
    • Like Like x 1
  13. Hi,

    I can guarantee you that all passwords are hashed with a personal salt as a SHA256 hash which is individually generated for each user.

    You won't be able to use poisonous plugins (Plugins that will enable local FTP servers to look at other client's data or - Even worse - give you access to the server itself) / You won't be able to see any data.

    We prevented XSS injections and SQL injections to the best of our knowledge.

    To get back to your point; Just because Multicraft is used by most hosting providers doesn't mean they're good. Even for a big, experienced panel (such as Multicraft) there is always the risk of finding and using potential security risks.

    Of course, you can feel free to test our panel and check its security. I'd be glad to discuss with you furthermore regarding its security :)

    Best regards,
    Bastian
     
  14. And that would be your first security mistake. If I recall correctly, salt isn't something should be unique for each user.

    Here's why: You're saying every user has a unique salt. The only way to possible use this salt is to store it somewhere persistant, in a the database I assume. That means you have a database with usernames, passwords and salt all at the same position. What do you think what happens when I somehow get a copy of the database? Exactly, I get not only the usernames and passwords, but also the salt. Me having the salt makes it completely useless. Salt is something that should be kept secretly and should be seperated from the database. What I did in school was a simple hard coded string as salt for each user. Hack the database all you want, you'd still not have the salt, which means it would do its job perfectly when one tries to bruteforce the hash. I'm not impressed yet ;)
     
    • Funny Funny x 1
  15. Hi,

    Our salts are stored in a separate redis database that can only be accessed by accessing the server locally (either using a library/directly/using redis-cli) so you'd have to gain access to the server via SSH, in order to do that you'd have to get the private key :)

    Again, I'd be happy to offer you a free trial so you can check our panel on your own.

    Best regards,
    Bastian
     
    • Like Like x 1
  16. You are completely wrong, salt should be unique for each user to prevent rainbow tables attack. If it isn't unique, it is possible to guess passwords of other users. Salt must be unique, it's security basics, https://security.stackexchange.com/...the-salt-need-to-be-unique-or-not-predictable

    All our interactions with database are done by using prepared statements with PDO.

    Kind Regards,
    Dimitris, NoLagCP Developer.
     
  17. If a hacker gets access to the password and salt, the salt becomes useless. As @Nolag_Bastian said, username and passwords are seperately saved from the salt, which is a positive thing. You can have them unique sure, just make sure they're seperated. I used a hard coded salt for each user in the past since I was only familiar with SQL. Getting a 2nd database wasn't an option for me. Having it seperated makes it fine
     

  18. Hi,

    Well, if a hacker gets to know the salt you used for general hashing it will be even worse :p

    Best regards,
    Bastian
     
  19. The fact that you claim to have developed this control panel within a week is worrisome. Companies like NodeCraft spent several months developing, testing, and in beta to ensure it was working as it should, plus likely having a 3rd party firm come in and pentest their product before allowing paying customers to use it.
     
    • Agree Agree x 6
    • Like Like x 1